Overview
Domino policies provide a powerful way for an administrator to manage their enterprise. But when multiple policies apply to a given user, it can be confusing to understand how the effective policy is determined. This article will explain in detail the factors that determines how policy precedence works.
First there are hierarchies for organizations and groups. There are three levels of policies: explicit, group (dynamic), and organizational. There are also the Inherit/Enforce settings which come into play. Lastly, there are the precedence settings for group policies. We will examine each of these factors in turn. But first, a qualification. Precedence does not mean that one policy completely overrides another. Precedence applies on a per field basis. So a setting in a policy with lower precedence can still make into the effective policy if the policy with a higher precedence does not have a value for that setting.
Hierarchies
Before explaining about the three levels of policies, the first thing that we need to understand is hierarchies. Organizational policies and dynamic polices (because of the group name, "Executives/IBM") can be hierarchical. When hierarchies are present, they are resolved first before precedence is applied.
Take for example the organizational policy "*/Europe/IBM", it is a hierarchical name. If there is also a root organizational policy, "*/IBM" then it would have to be taken into account. So resolving these two policies would result in the following table with some settings/values from the Mail settings for illustrative purposes:
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period |
Organizational: */Europe/IBM | Don't Set | N/A | 14 days | 90 days |
Organizational: */IBM | 90 days | N/A | 21 days | N/A |
Note:
Don't Set in the above example and the rest of this document refers to the How To Apply feature of policies that exists on a per setting basis:
That feature will be discussed in another Wiki since it is has a different dynamic in the policy space. For this discussion, having Don't Set for a value means that checkbox is selected.
N/A simply means that the value does not matter.
As will we discuss in more detail in a moment, the more specific a policy is it takes precedence. So in the case of the two organizational policies above, the settings in the more specific policy */Europe/IBM will always take precedence over the more general settings of */IBM which results in an organizational effective policy of:
Effective policy | 90 days | N/A | 14 days | 90 days |
So after any organizational and group hierarchies are resolved, the precedence among the levels can now be determined.
The Three Levels
The precedence of the three levels is defined by there specificity. The more specific or narrowly defined the scope of a policy's assignment, the higher precedence it has. The least specific policy level is the organizational policy, i.e. "*/IBM". This policy applies to everyone that was registered by that organizations certifier and so has a wide scope. If you think of scope as a room full of people at conference, it would be like telling everyone to sit down. A more specific policy is the dynamic group policy, i.e. "Executives", where the user gets the policy because they are a member of a group. This will in general have a much smaller scope therefore it has higher precedence. Going back to the audience analog, it would be the same as telling everyone in the front row to stand up. The most specific policy is the explicit policy, i.e. "Relaxed Logins" that a user gets by either having the policy set in their person document. This kind of policy has the highest precedence. Using the audience analogy, it would be like telling Bob Smith to present the people in the first row who are standing an award certificate. So in decreasing order of precedence it is:
Explicit
Dynamic
Organizational
In order to continue the discussion, it will be useful to have some example policies. So for each of the three levels, here is a sample policy that contains only a few settings. Assume that these are the only settings that have been set. In red are the items that have precedence and are thus included in the effective policy:
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period |
Explicit: "Relaxed Logins" | 120 days | Don't Set | Don't Set | 120 days |
Dynamic: "Executives" | Don't Set | /ExecutivesVault | Don't Set | Don't Set |
Organizational: */Europe/IBM | 90 days | N/A | 14 days | 90 days |
So if a user had all of these policies assigned to them, the resultant effective policy would be:
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period |
Effective policy | 120 days | /ExecutivesVault | 14 days | 120 days |
How Enforce and Inherit change the rules
For every setting that is specified you can also choose whether to Enforce the setting in a child policy or Inherit that setting from a parent policy. Whereas precedence is based on specificity, the Enforce and Inherit settings are based on scope which is the opposite of specificity. When either of those options are used, the policy with the greater scope wins. Therefore the three levels as listed before has decreasing specificity but increasing scope. Taking the sample above but this time with one setting being enforced and another setting being inherited:
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period |
Explicit: "Relaxed Logins" | 120 days | Don't Set | Don't Set | 120 days, INHERIT |
Dynamic: "Executives" | N/A | /ExecutivesVault | Don't Set | Don't Set |
Organizational: */Europe/IBM | 90 days, ENFORCE | N/A | 14 days | 90 days |
So if a user had all of these policies assigned to them, the resultant effective policy would be:
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period |
Effective policy | 90 days | /ExecutivesVault | 14 days | 90 days |
The effect of using the Enforce option on a setting is pushing it up to the top the precedence hierarchy. The effect of using the Inherit option on a seting is to pull up a setting from a lower level. In the case of the Allowed Grace Period setting, if there had been no value in the organizational policy, then the setting of 120 days would used. So it will only inherit a value if it is present. It would not inherit an empty value.
Group Precedence
A user can only have one explicit policy or one organizational policy, but they since they can be in several groups they could have multiple dynamic policies. In that case the group precedence is used. The precedence is defined in the Domino Directory under People -> Policies -> Dynamic Policies:
It can also be seen but not modified in the Policy Precedence tab of a policy document itself:
Like how precedence works with the three levels of policies, precedence only comes into play when more than one policy has a value for a particular setting. Otherwise, the setting is just merged into the effective policy. Therefore if you do have two dynamic policies with the same setting, the one with the greatest precedence (the lowest numerical value) will win. When an effective policy is being created for a user, all of the dynamic group settings will be resolved before the precedence with explicit and organizational policies are resolved.
When a new dynamic policy is created, it will automatically be given the lowest precedence value. Using the screenshot example above, a new dynamic policy would be assigned a precedence value of 6. Then the actions buttons in the Domino Directory -> People -> Policies -> Dynamic Policies view can be used to increase or decrease precedence for a selected policy. This will move the policy up/down the list as appropriate and changing the precedence values relative to the other policies. If the policy with the highest precedence is deleted (3 in the example above) then the next lowest value ( 4 in the example above) becomes the highest precedence. Note the precedence values are not rebased in that case. So over time, the precedence values will drift higher.
Putting it all together
The table below shows all of the policies that effect a hypothetical user, Bob Smith. He has 5 policies: 1 explicit, 2 dynamic group, and 2 organizational policies. There is 1 setting with Enforce enable and 1 setting with Inherit enabled. The first 4 settings are from the Mail settings and the last one is from the Traveler settings document.
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period | Low Battery Threshold |
Explicit: "Relaxed Logins" | 120 days | Don't Set | Don't Set | 120 days, INHERIT | Don't Set |
Dynamic: "Executives", Precedence 2 | N/A | /ExecutivesVault | Don't Set | Don't Set | 20% |
Dynamic: "Mobil", Precedence 3 | N/A | N/A | Don't Set | Don't Set | 10 % |
Organizational: */Europe/IBM | N/A | N/A | 14 days | 90 days | N/A |
Organizational: */IBM | 90 days, ENFORCE | N/A | 21 days | N/A | N/A |
The first step in determining the effective policy is to resolve the hierarchies of which there is only one in this example. */IBM and */Europe/IBM. Resolving that results in the next table:
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period | Low Battery Threshold |
Explicit: "Relaxed Logins" | 120 days | Don't Set | Don't Set | 120 days, INHERIT | Don't Set |
Dynamic: "Executives", Precedence 2 | N/A | /ExecutivesVault | Don't Set | Don't Set | 20% |
Dynamic: "Mobil", Precedence 3 | N/A | N/A | Don't Set | Don't Set | 10 % |
Organizational | 90 days, ENFORCE | N/A | 14 days | 90 days | N/A |
In the above table, the "Enforce Password Expiration" is kept because of the Enforce setting. The Warning Period setting is kept because the "*/Europe/IBM" policy has higher precedence than "*/IBM".
The second step is to resolve the group precedence between the "Executives" and "Mobil" group. This results in the next table:
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period | Low Battery Threshold |
Explicit: "Relaxed Logins" | 120 days | Don't Set | Don't Set | 120 days, INHERIT | Don't Set |
Dynamic | N/A | /ExecutivesVault | Don't Set | Don't Set | 20% |
Organizational | 90 days, ENFORCE | N/A | 14 days | 90 days | N/A |
In the above table, the "Low Battery Threshold" is kept because the "Executives" group has higher precedence than "Mobil".
Lastly, the precedence among the three levels needs to be resolved:
| Required Change Interval | Assigned vault | Warning Period | Allowed Grace Period | Low Battery Threshold |
Bob Smith's effective policy | 90 days | /ExecutivesVault | 14 days | 90 days | 20% |
Conclusion:
Hopefully, this article has been helpful in explaining how the different policies and the factors that effect them combine to form the effective policy for a user. In the future, look for other articles that take a different approach, namely, how to put together a combination of policies to solve different administrative scenarios. Also, in this article the How To Apply feature was not discussed. That is because it is somewhat different from precedence. Look for an article on that in the future.